Today’s security and compliance environment is challenging, and no single vendor can solve the entire problem for you. CyberArk understands this, which is why we’ve created a powerful ecosystem of technology and channel partners that can provide you with a complete solution for your privileged account security and compliance requirements.

CyberArk’s award-winning software protects the high value assets of leading companies and government organizations around the world. We take that responsibility seriously. That’s why we only hire the best.

BLOG POST

Effective Password Management: Random, Yet Sophisticated

Although password strength is not a topic we usually discuss at length—mostly because it’s only a small component of effective privileged account security—it is still a fundamental security best practice that requires our attention. In fact, the root cause of many advanced attacks can still be traced to weak passwords (particularly of the privileged variety, of course).

Take the sophisticated cyber-attack espionage underway since 2007, for instance, dubbed “Red October”. Red October is an elaborate cyber-attack, featuring a network of 60 C&C servers, which targeted computer networks of various international diplomatic service agencies, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia. The espionage originated when attackers began collecting passwords from various locations on a user’s PC and across the network, including registry, various caches and files. Using the passwords that were all too easily collected, the attackers formed a vast list of all passwords used in the network, and tried to use these credentials in all sorts of permutations to further spread across the network and gain access to various locations. The tactics worked, quite successfully, I may add.

Furthermore, a recent ArsTechnica article described how easy it has become for attackers to use the web to obtain passwords through a tactic known simply as “brute force”. The writer describes how Wikipedia pages and phrases that appear on the site can be used to break any password. By using a set of rules and permutations on words found in Wikipedia, an attacker can basically break any password—including powerful privileged accounts with comprehensive access to sensitive information.

Both these examples; Red October and the ArsTechninca article, prove how important it is to keep all passwords as sophisticated and random as possible since any average hacker using a powerful graphics processing unit can break any password up to 12 characters. Or, they can even use this processing power to create permutations on already available phrases and passwords (from Wikipedia pages or a list compiled from the network).

It’s a simple problem that merits a simple reminder. Establish a password management policy that involves sophisticated and random passwords. Even better, your policy should leverage technology, such as CyberArk’s Privileged Account Security Solution to establish frequent, automated password changes, as well as monitoring and threat detection, as part of an overall password and privileged account security strategy. CyberArk’s solution, after all, automatically generates strong passwords, ones that a user could never remember, a wiki page would never store and a power graphics card could never break. The more organizations that take this first step, the more likely they are to eliminate the threat of an attacker brute forcing his way through their network.